IPv6 testing

iFloris

Thanks for the default gateway bit Databeestje.
Pretty awesome that CMB and Sullrich are now also committing to your repository.
And is the IPv6 build that SimonCPU is working on also going to be merged with your build or vice versa?

databeestje

The SimonCPU build is out of date, it was started, then promptly stopped shortly after. It's just a lot of work, and doing this thing on your own is a bit hard.

I helped Scott load my IPv6 branch on his firewall last night, a gitsync and a firmware update later he had addressing going. This prompted him to make the tinydns package IPv6 capable last night.

So in just a few hours time he both coded the support for IPv6 in the tinydns package and installed and enabled his own domain/webserver with a IPv6 address and published it. From zero to go in 4 hours.

The whole IPv6 scare mongering that it is going to cost the world trillions and that it's undoable is slightly overrated.

Cino

I remember reading that icmp6 replaces arp a while back but forgot.. Its time to study up on IPv6 and having a working tunnel helps a lot in the learning process.

Thanks again for all your work!!

Edit: ICMP6 Echo Request are denied by default. Played with some rules to allow the WAN and LAN address but not the clients. Works great!!

Daboom

Nice this is great progress. Nice to see the gateway thing fixed. Now one question I see in monowall they have ipv6 enabled up the cahoot! My current ISP has Native IPV6 using a dual stack setup and pppoe thus… needing a simple couple commands added to the mpd5 default config. which I have enabled on another test box and it still seems to be missing something I am thinking it's missing the default ipv6 route perhaps?

Anyways not sure if your able to add this to a future release of your sync but maybe telling mpd5 to listen for ipcp6 requests and set the default route for it. I've gotten the one command line but not sure about the other.

sullrich

Yep, I am up and running on IPV6 now. It's almost scary. And lonely. Need more v6 sites to surf to!

databeestje

@Daboom:

Anyways not sure if your able to add this to a future release of your sync but maybe telling mpd5 to listen for ipcp6 requests and set the default route for it. I've gotten the one command line but not sure about the other.

what is the command you are referring to?

Daboom

@sullrich:

Yep, I am up and running on IPV6 now. It's almost scary. And lonely. Need more v6 sites to surf to!

v6.facebook.com
is one popular one :)

Daboom

@databeestje:

@Daboom:

Anyways not sure if your able to add this to a future release of your sync but maybe telling mpd5 to listen for ipcp6 requests and set the default route for it. I've gotten the one command line but not sure about the other.

what is the command you are referring to?

set bundle enable ipv6cp

Ref link to this http://www.dslreports.com/forum/remark,23876931

Cino

@databeestje:

So in just a few hours time he both coded the support for IPv6 in the tinydns package and installed and enabled his own domain/webserver with a IPv6 address and published it. From zero to go in 4 hours.

Was the tinydns package updated with this code will that be down the road?

Daboom

@Daboom:

@databeestje:

@Daboom:

Anyways not sure if your able to add this to a future release of your sync but maybe telling mpd5 to listen for ipcp6 requests and set the default route for it. I've gotten the one command line but not sure about the other.

what is the command you are referring to?

set bundle enable ipv6cp

Ref link to this http://www.dslreports.com/forum/remark,23876931

Btw with a little more digging and research I was able to determine it was the actual ipv6 default route that was not correct. so setting the enable ipv6cp in the mpd5 config and setting the default ipv6 route to use the pppoe interface route -n add -inet6 default -interface pppoe0.. I will point out atm the gateway stuff on the gui don't show online etc atm.

MrKoen

After hours of experiments I finally got my IPv6 tunnel via HE.net to work :D The problem was indeed due to my physical setup. Once I removed the DLink DIR655 router as my gateway to the internet, all worked fine. Both for my Hyper-V virtualized pfSense 2.0 beta 5 image as for a dedicated machine installation I experimented with as long as they're directly connected to the internet modem.

Only problem with the Hyper-V virtualized instance was that the Legacy Network Adapters required for pfSense are limited to 100 mbit and in reality are not able to allow more than about 40 mbit/sec to flow through. Having an 120 mbit connection to the internet I decided to go with the dedicated machine for now.

The connection from my home pcs either to IPv4 sites or IPv6 sites is amazingly fast. I noticed that the biggest slowdown in surfing the web was due to the Ziggo DNS servers at 212.54.35.25 and 212.54.40.25 being very slow. They need an average of 2 to 3 seconds to reply to a DNS lookup. I'm now using the Google open DNS servers at 8.8.8.8 and 8.8.4.4 and they're incredibly fast. At speedtest.net I score 122 mbits/sec download and 9 mbits/sec upload speeds. Surfing the web now is really a joy.

I'm still stuck with these issues though:

1. pfSense does not seem to add the line "ifconfig gif0 inet6 2001:470:1f14:xxx::2 2001:470:1f14:xxx::1 prefixlen 128". When I check "ifconfig gif0" after a reboot, this line is missing. When adding it manually via the console, its added and the connection to Hurricane Electric is created.

2. With the latest gitsync I can now indeed specify a default gateway for both IPv6 and IPv4, but they do not seem to be applied. I still need to do a "route -n add -inet6 default 2001:470:1f14:xxx::1" via the console to get it to route IPv6 traffic.

3. When trying to use the DHCPv6 service on pfSense 2b5, I'm seeing the following error in the system logs:

php: /services_dhcpv6.php: The command '/usr/local/sbin/dhcpd -6 -user dhcpd -group _dhcp -chroot /var/dhcpd -cf /etc/dhcpdv6.conf nge0' returned exit code '1', the output was 'Internet Systems Consortium DHCP Server 4.1.1-P1 Copyright 2004-2010 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ /etc/dhcpdv6.conf line 20: semicolon expected. option netbios-name-servers 2001: ^ Configuration file errors encountered – exiting If you did not get this software from ftp.isc.org, please get the latest from ftp.isc.org and install that before requesting help. If you did get this software from ftp.isc.org and have not yet read the README, please read it before requesting help. If you intend to request help from the dhcp-server@isc.org mailing list, please read the section on the README about submitting bug reports and requests for help. Please do not under any circumstances send requests for help

When checking /etc/dhcpdv6.conf I found that this file does not exist.

Anyone got an idea what can be the issue with any of these problems?

MrKoen

@Daboom:

v6.facebook.com
is one popular one :)

It should be: www.v6.facebook.com. Without the www it is not listed in the DNS records.

databeestje

@Koen:

1. pfSense does not seem to add the line "ifconfig gif0 inet6 2001:470:1f14:xxx::2 2001:470:1f14:xxx::1 prefixlen 128". When I check "ifconfig gif0" after a reboot, this line is missing. When adding it manually via the console, its added and the connection to Hurricane Electric is created.

2. With the latest gitsync I can now indeed specify a default gateway for both IPv6 and IPv4, but they do not seem to be applied. I still need to do a "route -n add -inet6 default 2001:470:1f14:xxx::1" via the console to get it to route IPv6 traffic.

3. When trying to use the DHCPv6 service on pfSense 2b5, I'm seeing the following error in the system logs:

When checking /etc/dhcpdv6.conf I found that this file does not exist.

1. Have you actually created the gif interface as listed in the howto? http://iserv.nl/files/pfsense/ipv6/

2. This should really be fixed since yesterday or so. The subnet check on the routing page now correctly allows for saving the gateway on the gif interface. The IPv6 WAN interface should have the (default) listed on the page.
see http://iserv.nl/files/pfsense/ipv6/gateways-overview.png

3. Looks like the netbios option is not supportedfor v6. I'll remove that.

iFloris

So far everything has been working smoothly for me.
After enabling ipv6 in remote locations I've been able to connect directly through the public address and even use the public dns name to resolve the ipv6 address.
Something that I haven't been able to find out though, is how can I see which machines use which address?
Is there something like a dhcp lease list or an arp-like list (though I know arp has been superseded by NDP).

The reason for my wanting to know this, is that I want to make an alias containing all my ipv6 clients, so that I can add all of them in both ipv6wan-in and ipv6lan-out rules.

For instance: Currently, I can't seem to be able to connect to a local ftp through it's public address if I don't open the firewall port on the wanipv6 side as well.

A possible solution would be:
1. Collecting all my clients in a alias
2. making a rule in the gist of 'Allow all in alias ipv6clients to connect to all in alias ipv6 clients using any protocol on ipv6'
3. adding that rule in both wanipv6 and lan interfaces
So that:
4. All my 'trusted' are able clients to talk to another as if they were on the same local (unfiltered) network.

However, short of opening network preferences, network control panel or running netstat on every machine that I have control over, finding out which ipv6 addresses are being used seems to be (as of yet) impossible.

Is there a way of finding out which machines are using which address and would the rule and alias combination that I propose above work as I think it would?

On a side note, I found some interesting information on the subject of NDP and ipv6 discovery in general here.

MrKoen

@databeestje:

1. Have you actually created the gif interface as listed in the howto? http://iserv.nl/files/pfsense/ipv6/

Yes I did. However, since that howto still shows some errors it's confusing to use. When I go to Interfaces -> (assign) -> GIF and edit the GIF to HE now, all seems to be fine. When I hit save and check "ifconfig gif0" on the console, I see it removed my "inet6 2001:470:1f14:xxx::2 –> 2001:470:1f14:xxx::1 prefixlen 128" line. Also my default ipv6 route is gone. What I do notice is that it has added "inet6 2001:470:1f14:xxx::2 prefixlen 128" as also stated in the howto. But no connection to HE and no IPv6 connectivity. Now when I run my custom script again which runs "ifconfig gif0 inet6 2001:470:1f14:xxx::2 2001:470:1f14:xxx::1 prefixlen 128", the connection to HE is up again. When I run "route -n add -inet6 default 2001:470:1f14:xxx::1" after that, my full IPv6 connectivity is alive again from both my pfSense machine as all my client machines behind it.

@databeestje:

2. This should really be fixed since yesterday or so. The subnet check on the routing page now correctly allows for saving the gateway on the gif interface. The IPv6 WAN interface should have the (default) listed on the page.
see http://iserv.nl/files/pfsense/ipv6/gateways-overview.png

It does indeed now display both default gateways. Check my attached image. It does add the default IPv4 gateway, but does not add the IPv6 default gateway. I'm thinking this is because of the problem expressed above at #1. I also can not add a default IPv6 gateway from the console before the "ifconfig gif0 inet6 2001:470:1f14:xxx::2 2001:470:1f14:xxx::1 prefixlen 128" line is executed and the connection to HE is set up, so I'm guessing at the background the same problem exists. The tunnel is not set up, so adding the default IPv6 gateway fails.

@databeestje:

3. Looks like the netbios option is not supportedfor v6. I'll remove that.

Thanks! I'll monitor your repository to see when the update is available :)

gateways.png_thumb

MrKoen

Another question by the way, I noticed that I can not reach the pfSense web UI via the IPv6 address set on the LAN facing NIC, only via its IPv4 address. Is there an easy way to have the webserver also bind to the IPv6 address to listen on or does that involve more than hacking some config file?

databeestje

@iFloris The ndp binary will be included in snapshots shortly, it lists neighbours.

It does not have a page yet, I need to make one first.

iFloris

@databeestje:

@iFloris The ndp binary will be included in snapshots shortly, it lists neighbours.
It does not have a page yet, I need to make one first.

Great!
Any list is better than none and your hard work is very much appreciated.
Until a page is made we'll make do with the binary (when I figure out how to use it, that is).

I remember someone saying something about implementing ipv6 being far too much work for one person..

sullrich

@iFloris:

I remember someone saying something about implementing ipv6 being far too much work for one person..

In this case one person is doing the job of 2-3 people. Seth has been working a lot on this project.

Oh and send him beer. He likes beer.

MrKoen

And more progress made.. issues 1 and 2 are resolved now. I had to go through all the steps again and even though all was correctly configured already, saving the settings again would create the appropriate config files to make it work without any custom scripts! Thanks bunches databeestje! ;D

I just synced with your recent update and I can also confirm the DHCPv6 to be working now! Making IPv6 reservations for DHCPv6 does not work yet, but I'm sure you're aware of that and have it somewhere on your huge todo list.

Great work! Keep up the good job.